SecPro #42: Understanding Dirty Pipe, Analyzing System Information Discovery, and Implementing Wireshark at an Enterprise Level
Despite continued cyberwar raging on an intercontinental level, most cybersecurity professionals have had to continue getting on with their life as normal. New critical vulnerabilities in Linux, Veeam, and other programs means that it has been a busy week for many people. Ransomware is still spreading across the US and Europe, making people like the SecPro readership the first line of defence against international criminal gangs and suspected nation state-level threats.
But while we all sit with shields up, ready for the next threat, conferences are still going on and security researchers are still doing what they do. This week, we’re turning our coverage towards a developer intentionally disrupting the NPM supply chain, how to use the MITRE ATT&CK framework, and how to get the most out of Wireshark. In an effort to give you something that will be useful for Monday morning, we have also included a few tools for malware detection and Linux security.
TL;DR 💬
- 🔸 Turning Read to Write Permissions with Dirty Pipe
- 🔸 How to Use Wireshark at Enterprise Level
- 🔸 MITRE ATT&CK – System Information Discovery
- 🔸 News Bytes: NPM compromise, another Wiper in Ukraine and more
- 🔸 Secret Knowledge: Malware Detection & Linux Security
Cheers!
Austin from Packt
Vulnerability Analysis
Understanding Dirty Pipe: Turning Read to Write Permissions with Dirty Pipe
By Austin Miller
Another Linux vulnerability has been uncovered, this time giving users the chance to write arbitrary data to files without permissions. Although relatively difficult to exploit, this is vulnerability could be easily weaponized by an insider threat. In a time where the adversary is turning to corrupting insiders, this is very much a red alert scare for organizations that depend on Linux services in Understanding Dirty Pipe.
What is Dirty Pipe?
Exploiting a fundamental way in which Linux deals with memory and file handling, Dirty Pipe is a vulnerability that was caused by commit 241699cd72a8 (made in 2016) that added new functionality to pipe buffers. Understanding Dirty Pipe is how this vulnerability was possible, we need to look at five key aspects of the way Linux handles memory: memory pages, page caches, pipes, pipe flags, and system calls.
Want to read the rest of Understanding Dirty Pipe? Click the button below 👇 to find the full article.
Threat Hunting
How to Use Wireshark at Enterprise Level
By Austin Miller
If you were lucky enough to attend the SharkFest this week, you will know about Stephen Donnelly’s presentation on implementing Wireshark in an enterprise setting. This tool should be well known by everyone reading this newsletter but making the jump from analyzing packets in a small to medium business setting to full-enterprise solutions is difficult.
Thankfully, this talk offered plenty of tips in how to effectively implement the open-source tool into the day-to-day life of a network administrator or cybersecurity analyst in a full enterprise setting. Here are some of the key findings that I took away from the SharkFest celebration of the best tool for traffic analysis available right now.
Want to read the rest? Click the button below 👇 to find the full article.
Threat Hunting
MITRE ATT&CK – System Information Discovery
By Austin Miller
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. Sun Tzu
This week, we’re looking at the 9th most common procedure in the MITRE ATT&CK framework – T1082: System Information Discovery. And just like the adversary knows their full offensive capabilities, they are keen to understand your defensive procedures too. Running the opposite of a threat intelligence campaign can give threat actors everything they need to run successful exploits – potential vulnerabilities, operating system information, host/user information, and a breakdown of the hardware you are using.
The truth is that once an adversary has breached defences, system information discovery is extremely easy
What is system information discovery?
System information discovery is simply finding out the specifications of a target system. Having a piece of malware isn’t as easy as plug-in-and-play after a phishing attack – the malware must be launched on a system that is going to be affected by it. That’s why the adversary is constantly looking for relevant system information and how to integrate it into their malware procedures.
Want to read the rest? Click the button below 👇 to find the full article.
Cybersecurity News
News Bytes
The NPM Dependency Tree Is Compromised – Again
In a month where cybersecurity professionals have been expecting foreign attacks to reach their perimeters, it seems that a supply chain attack has compromised two modules from the Vue.js JavaScript framework. Immediately addressed by users of Snyk, the node-ipc maintainer, RIAEvangelist, made a stunning statement about supply chain attacks in the industry.
What happened with Vue.js framework should act as a cautionary tale for developers and security leads in development environments. This could easily have led to a severe attack, but instead they were only faced with this message:
This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.
Called peacenotwar, RIAEvangelist’s initial source code was added to the framework on March 8th. Almost no downloads occurred until March 15th – the day its npm maintainer was added as a dependency for the popular module node-ipc. As of the time of writing, peacenotwar has been downloaded almost 30,000 times. If this was a malicious piece of code, we could be looking at a very severe supply chain attack that no-one would have noticed until it was too late.
The question to take away from this is “what do I know about my supply chain?” and how you plan to improve your security posture in that regard. If you have any ideas, send in your answers and I will collate them in next week’s article on improving security in the supply chain.
Want to read the rest of this week’s news? Click the button below. 👇
Secret Knowledge: Building Your Security Arsenal
Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.
Malware Detection
🔸 stamparm/maltrail:Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists.
🔸 airbnb/binaryalert: BinaryAlert is an open-source serverless AWS pipeline where any file uploaded to an S3 bucket is immediately scanned with a configurable set of YARA rules.
🔸 niallmcl/Deep-Android-Malware-Detection: We use a convolutional neural network (CNN) for android malware classification. Malware classification is performed based on static analysis of the raw opcode sequence from a disassembled android apk.
Linux Security
🔸 sleventyeleven/linuxprivchecker: This script is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text passwords and applicable exploits.
🔸 OpenVPN/openvpn3-linux: This is the next generation OpenVPN client for Linux. This project is very different from the more classic OpenVPN 2.x versions. First, this is currently only a pure client-only implementation.
🔸 cddmp/enum4linux-ng: A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players.